Friday, January 26, 2007

PCI, PCI, PCI! OK, but are they focusing at the right things?

Reading this is almost clear that PCI is really the standard of the moment. However, I'm still impressed about how security professionals and vendors dealing with it seem to be missing the point about what is really important and needs to be done first.

One of the main security concepts is risk management. As you can't solve all your security problems, you should start by solving the worst. PCI, however, doesn't mention anywhere a risk assessment to be done aiming at credit card data. There are 12 requirements, all of them with the same importance and at the same level. The results of this is that companies are struggling with security solutions without properly assessing if they are trying to solve the worst problems on their control framework.

Everybody is talking about encryption. Encrypt all transmissions, encrypt data at rest, etc. However, did anybody verify if encryption would be the solution for the main data leaks that happened on the last years? Except for those backup tapes and laptops, I really doubt it.

PCI should turn into a more modern framework, with a phased approach of assessing first to identify the major risks and then defining a security strategy. It can list the minimal points that need to be covered, but it's essential to include a prioritization and planning phase. PCI enforces the existence of specific controls. The appropriateness and priority of them, however, is not considered.

The 1.1 version is, in fact, better than 1.0 as it included the concept of compensatory controls and applications security. I still think that it should include more things about security processes. The standard mentions a "security policy". Why not a Security Program?

No comments:

Post a Comment